Last Monday, some prominent European data protection commentators, each with links deep within European Commission institutions, predicted that we would see fewer EU officials travelling to the UK to discuss and negotiate EU positions in future.
Because, increasingly, the UK is judged as “a lost cause”.
Monday’s workshop on the Data Retention and investigatory Powers Act, held at the Free Word Centre in Central London, with proceedings conducted (mostly) under Chatham House rules, was attended by a fair smattering of the UK’s data protection finest academics, practitioners and campaigners, together with some of the greatest of the good of the land.
While the focus of the meeting was on what ought to happen next in light of the speedy passage of DRIP through Parliament, and what preparations needed to be made to facilitate a more fundamental review of the Regulation of Investigatory Powers Act, 2000, a number of key observations were made which illustrate just how significantly the tectonic plates which frame the relationship between the UK and the European Union are shifting.
From a data protection perspective, this shift has some key implications.
Most importantly, the debate within the UK as to whether the new legal instrument setting out new data protection rules should be cast as a Regulation or a Directive becomes less significant.
Because by the time the deadline arrives for the new legal instrument to be implemented by EU Member States, the UK needs to plan for the possibility that it won’t be an EU Member State any more. In light of the “in-out EU referendum”, whenever that is held, some very smart minds now need to plan for the contingency that the UK will have cast itself away from the EU, and will therefore expect to be treated as a non-EU country with “adequate” data protection safeguards. Just like Andorra, Argentina, Guernsey, the Faroe Islands, the Isle of Man, Israel, Jersey, Uruguay and Israel – to mention but a few.
In this scenario, the UK’s revisions to the current 1988 Data Protection Act need not be as radical and as dogmatic as the changes that might be imposed on the data controllers situated elsewhere in the EU. The UK could even keep its DPA registration fee – which might well come as a relief to the MoJ bods currently struggling with the task of inventing a scheme similar to (but not called the same as) the current ICO funding process. This will allow data controllers, rather than public funds, to continue to meet the lion’s share of the ICO’s budget.
In this scenario, the UK won’t need to adopt all of the provisions in a Regulation to be accepted as having “adequate” data protection arrangements. Remember, after all, what the Article 29 Working Party had to say about the Faroe Islands back in 2007:
“While Faeroese law may not meet every requirement imposed upon the Member States by the Data Protection Directive, the Working Party is aware that adequacy does not mean complete equivalence with the level of protection set by the Directive. Thus, on the basis of the above mentioned findings, and the additional information given by the Faroe Islands, the Working Party concludes that the Faroe Islands ensure an adequate level of protection within the meaning of Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.”
Another really significant insight from the workshop came from someone who suggested that a huge amount of the blame for the UK needing to pass its emergency DRIP legislation actually lay at the door of the Irish Government.
Because had the Irish Government not have so spectacularly delayed the proceedings (it really not have needed to have taken some 7 years for the relevant cases to have been heard by the European Court of Justice), the legal arguments would have been assessed by judges in a “pre-Snowden” climate, where public “interest” (and press “outrage”) at the alleged activities of various national security agencies would have registered at a much lower level.
The Irish Government originally opposed the data retention proposals as it wanted communications data to be retained for 3 years, rather than the maximum of 2 years that was eventually agreed. So, it is ironic that much of the credit for striking down the Data Retention Directive has been taken by an Irish digital rights organisation.
The topic of drafting fresh EU-wide communications data retention legislation for law enforcement purposes seems currently far too toxic for the policymakers of EU Member States and for EU officials to want to visit again.
Before they do, they will need to possess more credible sets of cojones.